Method and system to enable secure communication for inter-eNB transmission

ABSTRACT

The embodiments herein provide a method and system for creating a secure connection for a User Equipment (UE) in a wireless network including a UE, carrier aggregated with at least one first serving frequency served by a first eNB and at least one second serving frequency served by a second eNB. A unique non-repetitive security base key associated with the second eNB is generated using a freshness parameter and security key associated with the first eNB. The use of a different freshness parameter for each security base key derivation avoids key stream repetition. Further, a user plane encryption key is derived based on the generated unique non-repetitive security base key associated with the second eNB for encrypting data transfer over at least one data radio bearer.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a continuation application of prior application Ser.No. 14/781,450, filed on Sep. 30, 2015, which is a U.S. National Stageapplication under 35 U.S.C. § 371 of an International application filedon Sep. 11, 2014 and assigned application number PCT/KR2014/008492,which claimed the benefit under 35 U.S.C § 119(a) of an Indian patentapplication filed on Sep. 11, 2013 in the Indian Patent Office andassigned Serial number 4059/CHE/2013, the entire disclosure of which ishereby incorporated by reference.

TECHNICAL FIELD

The present invention relates to radio network systems, and moreparticularly to a mechanism for providing secure simultaneoustransmission and reception across multiple eNB's from a User Equipment(UE) with inter-eNB carrier aggregation in the radio network systems.

BACKGROUND ART

With rise in deployment of Long term Evolution (LTE) and LTE advanced(LTE-A), small cells using low power nodes such as a Pico cell and aFemto cell are considered promising to cope with mobile trafficexplosion. A small cell using a low power node which has transmissionpower (Tx) lower than a macro node and Base Station (BS) classes ispreferred for hotspot deployments in indoor and outdoor scenarios. Thesmall cell enhancement for Evolved Universal Mobile TelecommunicationSystem (UMTS) Terrestrial Radio Access Network (E-UTRAN) and E-UTRAfocuses on additional functionalities for enhanced performance inhotspot areas for indoor and outdoor using the low power nodes. Thesmall cell enhancement can be expected to support significantlyincreased user throughput for both downlink and uplink with main focuson typical user throughput given a reasonable system complexity. Thesmall cell enhancement is expected to target the capacity per unit area(e.g. bps/km2) to be as high as possible, for a given user and smallcell distribution, typical traffic types and considering a reasonablesystem complexity. In LTE Release-11 specification a UE can be carrieraggregated by carriers from different frequency bands. The UE is carrieraggregated with at least one first serving frequency served by a primaryeNB and at least one second serving frequency served by a secondary eNB.This carrier aggregation of the UE is called as inter-eNB carrieraggregation and the UE. Dual Connectivity involves two eNBs in providingradio resources to a given UE (with active radio bearers), while singleS1-MME termination point exists for an UE between a MME and the E-UTRAN.The E-UTRAN architecture and related functions to support DualConnectivity for E-UTRAN is further described in TS 36.300.

In existing security mechanisms supporting inter-carrier aggregation atthe UE, authentication and authorization are performed using theauthentication and key agreement procedure (AKA) defined for the evolvedUniversal Terrestrial Radio Access (E-UTRAN) in the LTE Networks. Aninitial security key is derived by the Mobility Management Entity (MME)in the core network and sent to a primary eNB. During an inter-eNB (S1or X2-initiated) handover, the primary eNB derives the security key fora secondary eNB, using a base security key. The same security key isused for deriving further keys, which one of the key is used for userplane data protection.

During a handover (HO), the unused next hop (NH) parameters or anexisting security key associated with the primary eNB can be used forderiving the base security key. For forward, security, a new securitykey for the secondary eNB can be derived using a vertical key derivationat the anchor eNB using unused Next Hop (NH) parameters. The unused NHparameters may not be used always, and the existing security key may beused as for deriving the security key for the drift eNB. The use of theexisting security key for communication between the drift eNB and the UEmay not provide adequate key separation, resulting in securitycompromise.

Further, if the primary eNB derives security key for the secondary eNBusing an existing security key, then the key repetition will occur.Further, each time the secondary eNB is removed and added again forsupporting dual connectivity, the security key generated may berepeated. Further, key stream repetition is highly possible when theexisting security mechanism defined in TS 33.401 is used for dualconnectivity and leads to exposing the user plane to security attacks,which needs to be avoided.

In additional to key repetition, the security capabilities and/or localconfiguration of the secondary eNB may be different from primary eNB.Hence, the UE may need to use different cryptographic algorithms forcommunicating with the secondary eNB. The establishment of securitycontext between the secondary eNB and the UE requires knowledge of thesecurity algorithms supported and selected by the secondary eNB.

The above information is presented as background information only tohelp the reader to understand the present invention. Applicants havemade no determination and make no assertion as to whether any of theabove might be applicable as Prior Art with regard to the presentapplication.

DISCLOSURE OF INVENTION Technical Problem

The existing security mechanisms have several disadvantages. Theexisting security mechanisms may not provide a solution securecommunication between the secondary eNB and the UE as the generated keysmay get repeated when secondary eNB is added and the existing secondarykey is updated, which is high security threat. Further, the existingsecurity mechanisms may not provide adequate protection when the primaryeNB and the secondary eNB serving the UE belong to different operatorsand forward secrecy is not maintained.

Technical Solution

Accordingly the embodiments herein provide a method for creating asecure connection for a User Equipment (UE) in a wireless networkcomprising a first evolved Node B (eNB) connected to a second eNB. TheUE is carrier aggregated with at least one first serving frequencyserved by the first eNB and at least one second serving frequency servedby the second eNB. The method includes generating a uniquenon-repetitive security base key associated with the second eNB by thefirst eNB during one of an addition of the second eNB, a change of thesecond eNB, update of the unique non-repetitive security base key, andrefresh of the unique non-repetitive security base key. The uniquenon-repetitive security base key is generated based on a freshnessparameter and a security base key associated with the first eNB. Themethod includes deriving a user plane encryption key based on thegenerated unique non-repetitive security base key associated with thesecond eNB by the second eNB for encrypting data transfer over at leastone data radio bearer, after receiving the unique non-repetitivesecurity base key from said first eNB. Further, the method includesinforming the freshness parameter to the UE to derive the uniquenon-repetitive security base key associated with the second eNB and theuser plane encryption key for data transfer over the secure connection.The at least one data radio bearer is established on at least oneserving cell associated with the second eNB and the UE. Furthermore, themethod includes enabling a secure connection for user plane datatransfer between the UE and the second eNB over the at least one dataradio bearers using the user plane encryption key associated with thesecond eNB.

In an embodiment, the unique non-repetitive security base key associatedwith the second eNB is cryptographically separate from the security basekey associated with the first eNB. In an embodiment, the freshnessparameter used to derive the unique non-repetitive security base keyassociated with the second eNB is one of a random value and a countervalue. The freshness parameter is used as an input parameter for everysaid unique non-repetitive security base key derivation associated withthe second eNB, wherein the freshness parameter used is different fromthe one used previously for a given security base key associated withthe first eNB to avoid key stream repetition.

Accordingly the embodiments herein provide a system for creating asecure connection for a User Equipment (UE) in a wireless networkcomprising a first evolved Node B (eNB) connected to a second eNB. TheUE is carrier aggregated with at least one first serving frequencyserved by the first eNB and at least one second serving frequency servedby the second eNB. The system is configured to generate a uniquenon-repetitive security base key associated with the second eNB by thefirst eNB during one of an addition of the second eNB, a change of thesecond eNB, update of the unique non-repetitive security base key, andrefresh of the unique non-repetitive security base key. The uniquenon-repetitive security base key is generated based on a freshnessparameter and a security base key associated with the first eNB. Thesystem is configured to derive a user plane encryption key based on thegenerated unique non-repetitive security base key associated with thesecond eNB for encrypting data transfer over at least one data radiobearer after receiving the generated unique non-repetitive security basekey associated with the second eNB from the first eNB. Further, thesystem is configured to inform the freshness parameter to the UE used toderive the unique non-repetitive security base key associated with thesecond eNB and the user plane encryption key for data transfer over thesecure connection. The at least one data radio bearer is established onat least one serving cell associated with the second eNB. Further, thesystem is configured to enable a secure connection for user plane datatransfer between the UE and the second eNB over the at least one dataradio bearers using the user plane encryption key associated with thesecond eNB.

Accordingly the embodiments herein provide a computer program productcomprising computer executable program code recorded on a computerreadable a non-transitory storage medium, the computer executableprogram code when executed, causing the actions including generating anunique non-repetitive security base key associated with the second eNBduring one of an addition of the second eNB, a change of the second eNB,update of the unique non-repetitive security base key, and refresh ofthe unique non-repetitive security base key. The unique non-repetitivesecurity base key is generated based on a freshness parameter and asecurity base key associated with the first eNB. The computer executableprogram code when executed, causing further actions including deriving auser plane encryption key based on the generated unique non-repetitivesecurity base key associated with the second eNB for encrypting datatransfer over at least one data radio bearer after receiving thegenerated unique non-repetitive security base key associated with thesecond eNB from first eNB. The at least one data radio bearer isestablished on at least one serving cell associated with the second eNB.The computer executable program code when executed, causing furtheractions informing the freshness parameter to the UE used to derive theunique non-repetitive security base key associated with the second eNBand the user plane encryption key for data transfer over the secureconnection.

The computer executable program code when executed, causing furtheractions enabling a secure connection for user plane data transferbetween the UE and the second eNB over the at least one data radiobearers using the user plane encryption key associated with the secondeNB.

These and other aspects of the embodiments herein will be betterappreciated and understood when considered in conjunction with thefollowing description and the accompanying drawings. It should beunderstood, however, that the following descriptions, while indicatingpreferred embodiments and numerous specific details thereof, are givenby way of illustration and not of limitation. Many changes andmodifications may be made within the scope of the embodiments hereinwithout departing from the spirit thereof, and the embodiments hereininclude all such modifications.

Advantageous Effects of Invention

The principal object of the embodiments herein is to provide a systemand method for generating a unique non-repetitive security base keyassociated with a secondary eNB using the security base key associatedwith a primary eNB and a freshness parameter, when a UE is carrieraggregated with a first serving frequency served by the primary eNB andat least one second serving frequency served by the secondary eNB.

Another objective of the invention is to update the uniquenon-repetitive security base key associated with a secondary eNB toavoid key stream repetition.

Another object of the embodiments herein is to provide a mechanism forestablishing security context based on security capabilities andconfiguration supported by the secondary eNB in the wireless networksystem.

Another object of the embodiments herein is to provide a mechanism forcreating a secure connection for user plane data transfer using a uniquenon-repetitive security base key between a secondary eNB and a UE withinter-eNB carrier aggregation in a wireless network system.

BRIEF DESCRIPTION OF DRAWINGS

This invention is illustrated in the accompanying drawings, throughoutwhich like reference letters indicate corresponding parts in the variousfigures. The embodiments herein will be better understood from thefollowing description with reference to the drawings, in which:

FIG. 1A is a block diagram illustrating an inter-evolved node B (eNB)carrier aggregation with a User Equipment (UE) in a wireless networksystem, according to embodiments as disclosed herein;

FIG. 1B is a block diagram illustrating a security base, according toembodiments as disclosed herein;

FIG. 2A and FIG. 2B illustrates protocol architecture for dualconnectivity with distributed PDCP under consideration in 3GPPspecification, according to embodiments as disclosed herein;

FIG. 3 is a block diagram illustrating various modules of a MeNB and aSeNB, according to embodiments as disclosed herein;

FIG. 4 is a flow diagram illustrating a method for creating secureconnection for user plane data transfer using a unique non-repetitivesecurity base key between the UE and the SeNB, according to embodimentsas disclosed herein;

FIG. 5A is a flow diagram illustrating a method for security key updateinitiated by SeNB and MeNB avoiding key stream repetition using afreshness parameter, according to embodiments as disclosed herein;

FIG. 5B is a flow diagram illustrating a method 500 b for updating theunique non-repetitive security key associated with the SeNB when thesecurity key associated with MeNB gets updated, according to embodimentsas disclosed herein;

FIG. 6A is an example sequence diagram illustrating various operationsperformed between a UE, a MeNB, and a SeNB for creating a secureconnection for user plane data transfer using a unique non-repetitivesecurity base key, according to embodiments as disclosed herein.

FIG. 6B is an example sequence diagram illustrating various operationsperformed between a UE, a MeNB, and a SeNB for updating the uniquenon-repetitive security base key associated with the SeNB, according toembodiments as disclosed herein;

FIG. 6C is an example sequence diagram illustrating various operationsperformed between a UE, a MeNB, and a SeNB for updating the uniquenon-repetitive security base key associated with the SeNB when thesecurity base key associated with the MeNB gets updated, according toembodiments as disclosed herein;

FIG. 7A and FIG. 7B is an example sequence illustrating a mechanism forsecure key handling in a network supporting carrier aggregation of theUE, according to embodiments as disclosed herein;

FIG. 8 is a flow diagram illustrating a method for achieving forwardsecurity using a Down Link (DL) PDCP count for deriving the security keyused for user plane data transmission according to embodiments asdisclosed herein;

FIG. 9 is an example sequence diagram illustrating various operationsperformed between a UE, a first eNB, a second eNB to achieve forwardsecurity using a DL PDCP count for deriving the security key used foruser plane data transmission, according to embodiments as disclosedherein;

FIG. 10 is a flow diagram illustrating a method for achieving forwardsecurity using a DL PDCP count and a Up Link (UL) PDCP count forderiving the security key used for user plane data transmission,according to the embodiments as disclosed herein;

FIG. 11 is an example sequence diagram illustrating various operationsperformed between a UE, a first eNB, a second eNB to achieve forwardsecurity using a DL PDCP count and a UL PDCP count for deriving thesecurity key used for user plane data transmission, according toembodiments as disclosed herein;

FIG. 12 is a flow diagram illustrating a method for achieving forwardsecurity using a nonce for deriving the security key used for user planedata transmission, according to embodiments as disclosed herein;

FIG. 13 is an example sequence diagram illustrating various operationsperformed between a UE, a first eNB, a second eNB to achieve forwardsecurity using nonce for deriving the security key used for ser planedata transmission, according to embodiments as disclosed herein;

FIG. 14 is a flow diagram illustrating a method for establishingsecurity context based on security capabilities supported by the secondeNB in the wireless network, according to embodiments as disclosedherein;

FIG. 15 is an example sequence diagram illustrating various operationsperformed between the UE and the first eNB to establish the securitycontext based on the second eNB security capabilities, according toembodiments as disclosed herein;

FIG. 16 is another example sequence diagram illustrating variousoperations performed between the UE and the first eNB to establish thesecurity context based on security capabilities supported by the secondeNB, according to embodiments as disclosed herein;

FIG. 17 illustrates example key update indicator and MessageAuthentication Code (MAC) for Integrity verification generated using thenew security key present in a PDCP Protocol Data Unit (PDU), accordingto the embodiments as disclosed herein;

FIG. 18 illustrates example key update indicator and NONCE carried overin the PDCP PDU, according to embodiments as disclosed herein; and

FIG. 19 depicts a computing environment implementing a method and systemfor creating a secure connection for the UE in a wireless networkincluding the first eNB connected to the second eNB, according toembodiments as disclosed herein.

MODE FOR THE INVENTION

The embodiments herein and the various features and advantageous detailsthereof are explained more fully with reference to the non-limitingembodiments that are illustrated in the accompanying drawings anddetailed in the following description. Descriptions of well-knowncomponents and processing techniques are omitted so as to notunnecessarily obscure the embodiments herein. Also, the variousembodiments described herein are not necessarily mutually exclusive, assome embodiments can be combined with one or more other embodiments toform new embodiments. The term “or” as used herein, refers to anon-exclusive or, unless otherwise indicated. The examples used hereinare intended merely to facilitate an understanding of ways in which theembodiments herein can be practiced and to further enable those of skillin the art to practice the embodiments herein. Accordingly, the examplesshould not be construed as limiting the scope of the embodiments herein.

Throughout the document, the terms “first evolved Node B” (first eNB),“Master eNB (MeNB)”, “primary eNB”, and “anchor eNB” are usedinterchangeably and may refer to a single eNB, which connects a UserEquipment (UE) to the core network (which terminates at least S1-MMEinterface).

Throughout the document, the terms “second eNB”, “Secondary eNB (SeNB)”,and “Drift eNB” are used interchangeably and may refers to an eNB whichserves the UE to enhance data throughput at the UE (but not the MeNB).

Throughout the document, the terms “Second eNB Change Counter (SCC)”,“S-Count Counter (SCC)”, “Secondary Cell Counter”, “Secondary Cell Group(SCG) Counter”, and SCG counter are used interchangeably and refer to acounter parameter maintained at the first eNB.

Through the document, the terms “refresh”, “rekeying” and “update” havebeen used interchangeably and may refer to the derivation of a freshsecurity base key associated with the SeNB.

Throughout the document, the term “KeNB_m” refer to the key KeNBspecified in 3GPP Technical Specification (TS) 33.401, which is used bythe MeNB and the UE to derive further keys to protect the communicationbetween them.

The embodiments herein achieve a method and system for creating a secureconnection for the UE in a wireless network including the first eNBconnected to the second eNB is disclosed. The UE is carrier aggregatedwith at least one first serving frequency served by the first eNB and atleast one second serving frequency served by the second eNB. At thefirst eNB, a unique non-repetitive security base key associated with thesecond eNB is derived using a freshness parameter during at least forone of the following: addition of a second eNB, update of the uniquenon-repetitive security base key (due to wrap around of PDCP count orrefresh/re-keying of first eNB's based key KeNB_m), and refresh of theunique non-repetitive security base key. The unique non-repetitivesecurity base key is generated based on a security base key associatedwith the first eNB and a freshness parameter associated with thesecurity context of the first eNB. At the second eNB, a user planeencryption key is derived based on the unique non-repetitive securitybase key associated with the second eNB received from the first eNB forencrypting data transfer over at least one data radio bearer. At leastone data radio bearer is established on at least one serving cellassociated with the second eNB. The freshness parameter is informed tothe UE for deriving the unique non-repetitive security base keyassociated with the second eNB and further deriving a user planeencryption key for data transfer over the secure connection. Further asecure connection is established for user plane data transfer betweenthe UE and the second eNB over the data radio bearers using the userplane encryption key associated with the second eNB.

In an embodiment, the unique non-repetitive security base key associatedwith the second eNB is cryptographically separate from the security basekey associated with the first eNB. The freshness parameter used toderive the unique non-repetitive security base key associated with thesecond eNB is one of a random value and a counter value. In anembodiment, the freshness parameter is used as an input parameter forevery said unique non-repetitive security base key derivation associatedwith the second eNB, wherein the freshness parameter used is differentfrom the one used previously for a given security base key associatedwith the first eNB to avoid key stream repetition. Further, SeNB canrequest the MeNB to update the security base key associated with it overthe X2 interface (when the PDCP counts are about to wrap around for anyof the DRBs between the SeNB and the UE). When the MeNB receives arequest for key update from the SeNB or whenever the MeNB decides toperform the update of security base key associated with SeNB, the MeNBderive a fresh security base key associated with SeNB. Then the MeNBdelivers the fresh security base key associated with the SeNB to theSeNB and MeNB provides the value of the freshness parameter used in thederivation of the security base key associated with SeNB to the UE inRRC procedure. The UE then derive the security base key associated withSeNB and User plane protection key.

Further, the embodiments herein achieve a method and system for securingradio access with inter-evolved node B (eNB) carrier aggregation tosecure data transmission with user equipment (UE). An X2 message fromthe first eNB including UE capabilities and configurations is sent tothe SeNB. Based on the received parameters the SeNB can select securityparameters to be used for communication between the SeNB and the UE.

The proposed system and method is robust and effective in providing asecure communication for the UE operating in dual connectivity mode ofoperation when the UE could possibly associate itself with two or moreeNB's for possible enhancement in the user traffic throughput.Specifically, the one or more embodiments of the present invention areused to improve the security of radio networks with inter-eNBaggregation. The proposed system and method mitigates the securitythreats faced when using existing methods by providing key separationand security handling between the first eNB, the UE, and second eNB.Unlike conventional systems, the proposed system and method usesseparate ciphering at a Packet Data Convergence Protocol (PDCP) layer ofthe eNBs in use comprising the first eNB and the second eNB. The systemand method also provides additional separate security keys at the secondeNB and management of security context at the second eNB.

Referring now to the drawings, and more particularly to FIGS. 1 through19, where similar reference characters denote corresponding featuresconsistently throughout the figures, there are shown preferredembodiments.

FIG. 1A is a block diagram illustrating an inter-evolved node B (eNB)carrier aggregation in a wireless network system 100 such as that of3GPP's Long Term Evolution (LTE), according to embodiments as disclosedherein. The wireless network system 100 includes a Mobility ManagementEntity (MME) 102, a first eNB (MeNB) 104, a second eNB (SeNB) 106, and aUE 108 with inter-eNB carrier aggregation. The MME 102 manages sessionstates, authentication, paging, mobility with 3GPP, 2G and 3G nodes,roaming, and other bearer management functions.

In an embodiment, a carrier aggression manager in a core network canassign the MeNB 104 to the UE 108. Once the MeNB 104 is assigned to theUE 108, the MeNB 104 can be configured to pass signaling information tothe UE 108 using a Radio Resource Control (RRC) connection. In aninter-eNB carrier aggregation, the UE 108 is carrier aggregated with afirst serving frequency (F1) served by the MeNB 104 and a second servingfrequency (F2) served by the SeNB 106.

Similar to the intra-eNB aggregation, if the UE 108 is in the coveragearea of both of the cells, and supports aggregations of the respectivecarrier frequencies F1 and F2, then the carriers can be aggregated andthe UE 108 can be served by both the cells 104 and 106 respectively.Advantageously, concurrent transmission over both the frequencies F1 andF2 is possible without introducing interference because the twofrequencies are different. As such, the inter-eNB carrier aggregation ofthe present embodiment provides additional transmission resources,similar to the intra-eNB carrier aggregation of LTE-Advanced.

The MeNB 104 and the SeNB 106 are connected through a non-ideal backhaulsuch as X2 interface and communicate using the X2 application protocol(X2-AP).

In an embodiment, the MeNB 104 is connected to the SeNB 106 with aninterface characterized by one of a non-ideal backhaul link and an idealbackhaul link. The UE 108 is carrier aggregated with at least one firstserving frequency served by the MeNB 104 and at least one second servingfrequency served by the SeNB configured to operate in dual connectivitymode of operation in at least one of a downlink direction and an uplinkdirection with the MeNB 104 and SeNB 106.

In an embodiment, the wireless network system 100 uses a set of bearersof the UE 108 that is transmitted over the MeNB 104, while another setof bearers of the UE 108 is transmitted over the SeNB 106. In accordancewith the 3GPP specification, the data rate of the UE 108 can beincreased by addition of the one secondary cell from one of theavailable SeNB 106 through the inter-eNB carrier aggregation.

In an embodiment, a base key is shared between all of the eNBs which areinvolved in the inter-eNB carrier aggregation of an UE. The base key fora particular eNB is then distributed to other serving eNBs through theX2 interface. Each eNB receiving the base key then independently derivesthe keys. Additionally, a separate security keys are used at the SeNB106 for management of security context at the SeNB 106.

Although the FIG. 1 depicts only one MeNB and SeNB, it is to beunderstood that the wireless network system 100 may include multipleMeNB's and SeNB's communicating with the UE. The wireless network system100 is only one example of a suitable environment and is not intended tosuggest any limitation as to the scope of use or functionality of theinvention. Further, the wireless network system 100 can includedifferent modules communicating among each other along with otherhardware or software components. For example, the component can be, butnot limited to, a process running in an electronic device, an executableprocess, a thread of execution, a program, or a computer. By way ofillustration, both an application running on an electronic device andthe electronic device can be the component.

FIG. 1B is a block diagram illustrating the security base, according toembodiments as disclosed herein. The UE 108 and MeNB 104 can beconfigured to derive the security key KeNB_s of a target SeNB 106 atblock 110. At the MeNB 104 and the UE 108, the Key Derivation Function(KDF) uses the base security key associated with the MeNB 104 and afreshness parameter (Second eNB Change Counter (SCC)) as inputparameters for generating the unique non-repetitive security base key(KeNB_s) associated with the SeNB 106. Details of the SCC and the keyderivation process are provided in conjunction with FIG. 4. At block112, the generated (KeNB_s) is sent to the SeNB 106 using an X2 messageand the SCC used to derive KeNB_s is sent to the UE 108 using a RadioResource Control (RRC) message.

In an embodiment, the RRC message is a RRC connection reconfigurationmessage.

In an embodiment, the RRC message a SECURITY MODE COMMAND message.

At the SeNB 106 and the UE 108, the KDF uses the unique non-repetitivesecurity base key (KeNB_s) associated with the SeNB 106 and otherparameters for deriving a KUPenc key (user plane encryption key) toprotect the user plane traffic between the UE 108 and the SeNB 106.

FIG. 2 illustrates protocol architecture for dual connectivity withdistributed PDCP under consideration in 3GPP specification, according toembodiments as disclosed herein. The protocol architecture for dualconnectivity with distributed Packet Data Convergence Protocol (PDCP)under consideration in 3GPP specification TR 36.842 is described in theFIG. 2. When the UE 108 is served by the MeNB 104 and the SeNB 106, thecontrol plane and the user plane of the UE 108 gets split between theMeNB 104 and the SeNB 106.

The FIG. 2A illustrates a core network (CN) split architecture,according to embodiments as disclosed herein. As shown in the FIG. 2A,the S1-U terminates at the MeNB 104 and the SeNB 106. This architectureis referred as core network (CN) split where a set of Evolved PacketSystem (EPS) bearers of the UE 108 are split in the core network at theService-Gateway (S-GW) and the EPS bearers are mapped on the respectiveS1-U interfaces towards the MeNB 104 and the SeNB 106.

The FIG. 2B illustrates Radio Access Network (RAN) split architecture,according to embodiments as disclosed herein. As shown in the FIG. 2B,the S1-U terminates only at the MeNB 104. This architecture is referredas radio access network (RAN) split where the EPS bearers of the UE 108are split in the MeNB 104 and the offloaded bearer are mapped on the X2interface towards the SeNB 106. The protocol stack for the data radiobearer associated with the MeNB 104 (EPS Bearer #1) and the SeNB 106(EPS Bearer #2) includes a PDCP entity, a Radio Link Control (RLCentity), and a common Medium Access Control (MAC) entity. Also, theprotocol stack for the split data radio bearer associated with the MeNB104 (EPS Bearer #1) can be handled by the PDCP entity also associatedwith the SeNB 106 called the common PDCP entity. The protocol stackassociated with the SeNB 106 for handling the split data radio bearerassociated with the SeNB 106 (EPS Bearer #2) includes the RLC entity,the MAC entity, and the common PDCP entity. Further, the MeNB 104includes an RRC protocol for control signaling.

FIG. 3 is a block diagram illustrating a system 300 with various modulesof a MeNB and a SeNB; according to the embodiments as disclosed herein.The primary blocks present for communication in dual connectivity of UEinclude a communication module 302, a bearer path management module 304,a processor module 306, a memory module 308, and a key management module310. In an embodiment, the communication module 302 is configured tocommunicate security information with the UE 108 and other eNB forestablishing a security context. For example, the wireless communicationmodule 302 in a MeNB 104 can be configured to communicate the securitybase keys with one or more UEs 108.

The bearer path management module 304 determines the bearer to betransmitted over within respective cells in the eNB's. The bearerdescribed herein can either be a Data Radio Bearer (DRB) or a SignalingRadio Bearer (SRB). The selection of a bearer is based on severalvariables, which include for example, but are not limited to, Quality ofService requirements (QoS), traffic characteristics of the bearer, andload and coverage area of a selected secondary cell.

The key management module 310 is responsible for receiving keys fromvarious entities. The key management module 310 may be configured togenerate further security keys based on a received key. The MeNB 104receives a base security key from the MME 102 and derives a uniquenon-repetitive security key for SeNB 106. Similarly, the SeNB 106 canuse the security key received from the MeNB 104 to derive new securitykey to be used for secure communication with the UE 108. The derivedunique non-repetitive security key for the SeNB 106 can be sent from theMeNB 104 through the X2 interface using an X2 message.

Further, the memory module 308 is configured to store data related tooperation of the eNB's (MeNB and SeNB) and the UE 108. The memory module308 can be configured to store various security keys generated forcommunication with different entities.

FIG. 4 is a flow diagram illustrating a method 400 for creating secureconnection for user plane data transfer using a unique non-repetitivesecurity base key, according to the embodiments as disclosed herein. Inan embodiment, at step 402, the method 400 includes generating a uniquenon-repetitive security base key associated with the SeNB 106 using thesecurity base key associated with MeNB 104 and a freshness parameter.

The MeNB 104 is configured to determine the SeNB 106 for datatransmission to the UE 108 among the eNB's managed by the MeNB 104.Multiple SeNB's 106 can be managed by a single MeNB 104. The selectionof the SeNB 106 may depend on several factors like channel measurement,the location of the UE 108, load information, and the like. The MeNB 104can be configured to generate the unique non-repetitive security basekey associated with the SeNB 106 and a freshness parameter while addingthe SeNB 106.

The freshness parameter is one of a random value and a counter value,which is associated with MeNB 104 security context and is generatedand/or incremented for each unique non-repetitive security base keyderived for the SeNB 106. The freshness parameter is used, along with asecurity base key of the MeNB 104 for a unique non-repetitive securitybase key derivation for the SeNB 106, is different from the one usedpreviously, in order to avoid key stream repetition. In an embodiment,when the count value (SCC) is about to wrap around for a given securitybase key of the MeNB (KeNB_m), then the MeNB refresh the security basekey (KeNB_m) of the AS security context associated with the SCC andreset the value of the SCC to “0”.

In an embodiment, the MeNB 104 needs to generate the uniquenon-repetitive security base key in addition to the existing uniquenon-repetitive security base key when an additional SeNB 106 is added toserve the UE 108.

In an embodiment, the MeNB 104 can be configured to generate the uniquenon-repetitive security key when there is change of in the SeNB 106being used. For example, when the SeNB 106 decides to offload the DRB'sto a candidate SeNB 106, a fresh security base key needs to begenerated.

In an embodiment, the MeNB 104 can be configured to generate the uniquenon-repetitive security key when there is update in the security keyassociated with the SeNB 106. For example, when the same SeNB 106 getsreconnected to the MeNB 104 after certain duration, update of thesecurity key associated with the SeNB 106 becomes essential. In anembodiment, the MeNB 104 can be configured to generate the uniquenon-repetitive security key when there is update in the security keyassociated with the MeNB 104. For example, if there is a change in theMeNB 104 base key (KeNB_m) associated with the UE 108, update of thesecurity key associated with the SeNB 106 is needed to ensure securityof the derived user plane encryption keys.

At step 404, the method 400 includes incrementing a counter valueassociated with the freshness parameter for updating of security keyassociated with the second eNB.

The various operations between the MeNB 104, SeNB 106 and the UE 108 forhandling security keys in different conditions like change in the SeNB106, addition of an SeNB 106, offloading of DRB, release of SeNB, andupdate of the security base key associated with MeNB 104 is described inconjunction with FIG. 7.

In an embodiment, the counter value is associated with the selected SeNB106 security context. In another embodiment, the counter value isassociated with the access stratum (AS) security context (with theKeNB_m) established between the MeNB 104 and the UE 108 and maintainedfor the duration of the current AS security context. The counter valueis incremented for each generated unique non-repetitive security basekey associated with the SeNB 106 by the MeNB. The counter value isreferred as the SCC or SCG Counter and maintained by the MeNB 104. Incase a random value is used as a freshness parameter, a random value canbe generated using a Pseudo Random Function (PRF) for each generatedunique non-repetitive security base key. As the freshness parameter usedis different from the one used previously along with a security basedKeNB_m, in order to avoid key stream repetition.

In an embodiment, SCC is initialized to ‘0’ when the KeNB_m in theassociated AS security context is established. The MeNB derive KeNB_s(using SCC=0) and then the SCC is incremented (after the key derivation)and the same mechanism is followed for further fresh key derivation. Inan embodiment, the SCG counter is incremented before the key derivationand the same mechanism is followed for further fresh key derivation. Inan embodiment, when the count value (SCC) is about to wrap around for agiven security base key of the MeNB 104 (KeNB_m), then the MeNB 104refresh the security base key (KeNB_m) of the AS security contextassociated with the SCC and reset the value of the SCC to “0”.

In addition to the freshness parameter, several other parameters can beused for generating the unique non-repetitive security base keyassociated with the SeNB 106. Examples of parameters used for generatingthe unique non-repetitive security base key, can include, but is notlimited to, the unique non-repetitive security base key associated withthe MeNB 104 (KeNB_m), the unique non-repetitive security base key inuse in the SeNB 106, the physical layer parameters like Physical CellIdentity (PCI) and DL frequency, wherein said PCI and said DL frequencyassociated with the SeNB 106.

At step 406, the method 400 includes informing the freshness parameterby the MeNB 104 to the UE 108 to enable the UE 108 to derive the uniquenon-repetitive security base key associated with the SeNB 106 (KeNB_s).For example, the value of the SCC is sent to the UE as the freshnessparameter for generating the unique non-repetitive security base key.The MeNB 104 delivers the generated unique non-repetitive security basekey (KeNB_s) to the SeNB 106.

At step 408, the method 400 includes deriving the unique non-repetitivesecurity base key at the UE 108 based on the freshness parameterreceived from the MeNB 104.

At step 410, the method 400 includes deriving a user plane encryptionkey based on the unique non-repetitive security base key associated withthe second eNB (KeNB_s) for encrypting data transfer over at least oneData Radio Bearer (DRB) established on at least one serving cellassociated with the SeNB 106. Based on the unique non-repetitivesecurity base key derived for the SeNB 106, the SeNB 106 can beconfigured to generate the user plane encryption key to be used for datacommunication between the SeNB 106 and the UE 108. Similarly, the UE 108can be configured to generate user plane encryption key to be used fordata communication between the SeNB 106 and the UE 108.

At step 412, the method 400 includes enabling a secure connection forthe user plane data transfer between the UE 108 and the SeNB 106 oversaid at least one data radio bearers using the user plane encryption keyassociated with said SeNB 106.

The various actions, acts, blocks, steps, and the like in the method 400may be performed in the order presented, in a different order orsimultaneously. Further, in some embodiments, some actions, acts,blocks, steps, and the like may be omitted, added, modified, skipped,and the like without departing from the scope of the invention.

FIG. 5A is a flow diagram illustrating a method 500 _(a) for securitykey update and avoiding key stream repetition using a freshnessparameter, according to the embodiments as disclosed herein.

The security update is essential to avoid key stream repetition. If theMeNB 104 derives the unique non-repetitive security base key for theSeNB 106 using an existing security key associated with the MeNB 104then the key repetition can occur with the existing security mechanismswhen the SeNB 106 gets released and reconnected to the MeNB 104 multipletimes.

Security Key Update at SeNB 106

At step 502 _(a), the method 500 _(a) begins with the SeNB 106 using thereceived unique non-repetitive security base key for generating the userplane encryption key.

At step 504 _(a), the method 500 _(a) includes detecting at the SeNB 106whether a PDCP count for the Data Radio Bearer established on the SeNB106 is about to wrap around or detecting if the SeNB 106 decides tochange the SeNB 106 currently configured for said UE to anothercandidate SeNB. In case, the SeNB 106 decides to direct the DRB's to thecandidate SeNB, the MeNB 104 needs to generate a fresh security base keyused for the candidate SeNB. Alternatively the SeNB 106 detects the PDCPcount associated with a DRB is about to wrap around, the SeNB 106 can beconfigured to request MeNB 104 to update the security key used.

At step 508 _(a), the method 500 _(a) includes sending a key updaterequest message from the SeNB 106 to the MeNB 104 over the X2 interfacebetween the MeNB 104 and the SeNB 106 for a fresh security base key.

On detecting that at least one DRB established on the SeNB 106 is aboutto reach a wrap around point, the SeNB 106 can be configured to send akey update request message to the MeNB 104 through the X2 interface.

In an embodiment, when the SeNB 106 decides to select a candidate SeNBfor serving the UE 108, the SeNB 106 sends a request to the MeNB 104associated with the UE 108 for updating of the security key.

At step 506 _(a), the method 500 _(a) includes the SeNB 106 using thecurrent security base key received from MeNB 104. As there is no changein the SeNB 106 or the wrap around point associated with any of the DRBis not reached, the SeNB 106 can continue using the current securitybase key received from MeNB 104.

At step 508 _(a), the method 500 _(a) includes receiving a request atMeNB 104 for updating the current security base key associated with theSeNB 106 in use. The SeNB 106 is configured to request the MeNB 104 forupdating the current security base key associated with the SeNB in usedby the SeNB 106.

At step 510 _(a), the method 500 _(a) includes deriving at the MeNB 104,a fresh security base key in response to the request received from theSeNB 106. Based on the key update request from the SeNB 106, the MeNB104 can be configured to generate a fresh unique non-repetitive securitybase key associated with the SeNB 106.

At step 512 _(a), the method 500 _(a) includes delivering the derivedfresh security base key associated with the SeNB 106 to the SeNB 106from the MeNB over the X2 interface between the MeNB 104 and SeNB 106.

At step 514 _(a), the method 500 _(a) includes passing the counter valueto the UE 108 to enable the UE to derive the fresh security base key.The UE 108 can derive the security key as the one to be used by the SeNB106. first eNB said fresh security base key in

Security Key Rekeying/Security Key Update Initiated by the MeNB 104

FIG. 5B is a flow diagram illustrating a method 500 _(b) for updatingthe unique non-repetitive security key associated with the SeNB 106 whenthe security key associated with MeNB 104 gets updated, according to theembodiments as disclosed herein.

At step 502 _(b), the method 500 _(b) begins with the SeNB 106 using thereceived unique non-repetitive security base key for generating the userplane encryption key.

At step 504 _(b), the method 500 _(b) includes detecting at the MeNB 104whether there in an update in the security associated with the MeNB 104or deciding at the MeNB to change the SeNB 106 currently configured forsaid UE to another candidate SeNB. In case, the SeNB 106 decides todirect the DRB's to the candidate SeNB, the MeNB 104 needs to derive afresh the security base key used for the candidate SeNB.

At step 506 _(b), the method 500 _(b) includes the SeNB 106 using thecurrent security base key received from MeNB 104. As there is no changein the eNB 106 or the security base key associated with the MeNB 104,the SeNB 106 can continue using the current security base key receivedfrom MeNB 104.

At step 508 _(b), the method 500 _(b) includes resetting the SCC to zeroas the KeNB_m is refreshed or re-keyed and deriving at the MeNB 104 afresh security base key associated with SeNB 106.

Based on the updated security key associated with the MeNB 104, the MeNB104 can be configured to generate a fresh unique non-repetitive securitybase key associated with the SeNB 106.

In an embodiment, the SCC counter can be incremented after deriving thefresh security base key associated with SeNB 106.

In an embodiment, the SCC counter can be incremented before deriving thefresh security base key associated with SeNB 106.

For each refresh of the security base key associated with the MeNB 104,the MeNB 104 can be configured to reset the count value to “0”.

At step 510 _(b), the method 500 _(b) includes delivering the derivedfresh security base key associated with the SeNB 106 to the SeNB 106 bythe MeNB over the X2 interface between the MeNB 104 and SeNB 106.

At step 512 _(b), the method 500 _(b) includes passing the counter valueused to derive the fresh security base key associated with the SeNB 106to enable the UE 108 to derive the fresh security base key. The UE 108can derive the security key as the one to be used by the SeNB 106.

Typically, the security base key need to be updated, when the UEconnects to a new MME 102 or a reconnection with the same MME 102.

The various actions, acts, blocks, steps, and the like in the method 500_(a) and method 500 _(b) may be performed in the order presented, in adifferent order or simultaneously. Further, in some embodiments, someactions, acts, blocks, steps, and the like may be omitted, added,modified, skipped, and the like without departing from the scope of theinvention.

FIG. 6A is an example sequence diagram illustrating various operationsperformed between a UE 108, a MeNB 104, and a SeNB 106 for creatingsecure connection for user plane data transfer using a uniquenon-repetitive security base key, according to embodiments as disclosedherein.

In an embodiment, use of same key stream in combination with the PDCPCOUNT and Bearer ID used for earlier key generation must not berepeated.

At 602 _(a), a security base key associated with the SeNB 106 isgenerated using a freshness parameter as one of the input parameters forkey derivation. The other input parameters can include, but is notlimited to, security base key in use in the MENB 104, the uniquenon-repetitive security base key in use in said SeNB 106, the physicallayer parameters like Physical Cell Identity (PCI) and DL frequencyassociated with the SeNB 106. The PCI and said DL frequency belongs toat most one secondary cell associated with SeNB 106 served on one of asecond serving frequency.

The MeNB 104 can be configured to generate the unique non-repetitivesecurity key, when there is change of in the SeNB 106 being used, whenthere is update in the security key associated with the SeNB 106, whenthere is update in the security key associated with the MeNB 104 andwhen the PDCP count in a DRB is about to reach the wrap around.

The freshness parameter is one of a random value and a counter value,which is generated or/and incremented for each unique non-repetitivesecurity base key derivation associated with the SeNB 106, such thatinput parameter is different from the one used previously to avoid keystream repetition.

At 604 _(a), the generated security key (KeNB_s) associated with theSeNB 106 and the capabilities of UE 108 is sent to the SeNB 106.

At 606 _(a), the SeNB 106 determines the security parameters to be usedfor communication with the UE and derives the user plane encryption keyusing from the received KeNB_s. The user plane encryption key is derivedat the SeNB 106 based on the received unique non-repetitive securitybase key associated with the second eNB for encrypting data transferover at least one Data Radio Bearer (DRB) established on at least oneserving cell associated with the SeNB 106.

At 608 _(a), an X2 message is sent from the SeNB 106 to the MeNB 104.The X2 message includes the selected security parameters like encryptionalgorithm.

At 610 _(a), the MeNB 104 informs the freshness parameter and theselected security parameters to the UE 108 using an RRC message forenabling the UE 108 to derive the unique non-repetitive security basekey associated with the SeNB 106.

At 612 _(a), the UE 108 derives the security key (KeNB_s) associatedwith the SeNB 106 using a freshness parameter received from the MeNB104. The UE 108 does not maintain the freshness parameter and use theparameter received from the MeNB 104. The UE 108 is configured to derivethe user plane encryption key based on the information present in theRRC connection reconfiguration message.

At 614 _(a), once the UE 108 derives the security key (KenB_s)associated with the SeNB 106 and the user plane encryption key an RRCconnection reconfiguration complete message is sent to the MeNB 104 fromthe UE 108. Then the UE 108 starts connecting with the SeNB 106.

Update of Security Base Key (KenB_s)

FIG. 6B is an example sequence diagram 600 _(b) illustrating variousoperations performed between a UE 108, a MeNB, and a SeNB 106 forupdating the unique non-repetitive security base key associated with theSeNB, according to embodiments as disclosed herein.

At 602 _(b), the SeNB 106 is configured to determine if the PDCP countfor the at least one Data Radio Bearer established on the SeNB 106 isabout to wrap around. For each PDCP wrap round for any DRB associatedwith the UE 108, the SeNB 106 can be configured to request update of thesecurity key used.

At 604 _(b), a key update request message from the SeNB 106 to the MeNB104 over the X2 interface between the MeNB 104 and the SeNB 106 for afresh security base key.

At 606 _(b), the MeNB 104 is configured to generate a fresh securitybase key associated with SeNB in response to the request received fromSeNB.

At 608 _(b), the generated fresh security base key is sent to the SeNB106.

At 610 _(b), an RRC connection reconfiguration message is sent to the UE108 indicating the SCC to enable the UE 108 to derive the fresh securitybase key associated with the SeNB 106.

At 612 _(b), the UE 108 derives the fresh security base key (KeNB_s) andthen derived the user plane key using the derived KeNB_s. At 614 _(b),the SeNB 106 and the UE 108, resumes the secure connection.

In an embodiment, the combination of NCC and the Key change indicatormay be used differently to interpret the key/NH value to be used toderive key KeNB_s at the UE 108. In case the MeNB 104 holds unused NHparameters, the KeNB_s is derived using unused NH parameters from theMeNB 104.

Vertical Derivation (if Unused NH Exists)

KeNB_s=KDF {NH (in MeNB), SeNB-PCI, SeNB-EARFCN-DL}

In case the MeNB 104 does not have unused NH parameters, the KeNB_s isderived using the currently active KeNB_m derived at the MeNB 104.

Horizontal Derivation (if Unused NH does not Exist)

KeNB_s=KDF {KeNB_m, SeNB-PCI, SeNB-EARFCN-DL}

Key Update:

KeNB_s=KDF {KeNB_s (in use, in SeNB), SeNB-PCI, SeNB-EARFCN-DL}

At 614 b, once the security base key is updates at the UE 108 and SeNB106, the secure connection between the UE 108 and SeNB 106 is resumed.

KEY ?REKEYING/Update of security base key (KenB_s) due to update ofsecurity base key (KeNB_m) at the MeNB 104

FIG. 6C is an example sequence diagram 600 _(c) illustrating variousoperations performed between a UE 108, a MeNB, and a SeNB 106 forupdating the unique non-repetitive security base key associated with theSeNB 106 when the security base key associated with the MeNB 104 getsupdated, according to embodiments as disclosed herein.

At 602 _(c), the MeNB 104 decides to update the security key associatedwith the SeNB 106.

When there is an update (also referred as key refresh or rekeying) ofthe security base key associated with the MeNB 104 (KeNB_m), a newKeNB_s is derived. Typically, the rekeying happens when the UE connectsto a new MME 102 or the MeNB 104 reconnects to the same MME 102.Further, rekeying is also performed automatically if the MeNB 104reconnects to the same MME 102 and key fresh happens, when the MME 102provides new key or when the PDCP count of any DRB between the MeNB 104and the UE 108 are about to warp around.

At 604 _(c), the MeNB 104 is configured to generate a fresh securitybase key (KeNB_s) associated with SeNB 106, when there is an update inthe security key (KeNB_m) associated with the MeNB 104. The SCC value isreset to zero when the security base key (KeNB_m) associated with MeNB104 is updated.

At 606 _(c), the generated fresh security base key is sent to the SeNB106.

At 608 _(c), based on the received security base key (KeNB_s), the userplane encryption key for secure communication between UE 108 and SeNB106 is generated.

At 610 _(c), an X2 message confirming the receipt of the security keyassociated with SeNB 106 is sent to the MeNB 104 over the X2 interface.

At 612 _(c), an RRC connection reconfiguration message is sent to the UE108 indicating the SCC to enable the UE 108 to derive the fresh securitybase key (KenB_s). The UE 108 can derive the user plane encryption keyusing the derived security base key (KenB_s).

At 614 _(c), the UE 108 derives the fresh security base key (KenB_s). At616 _(c), the UE 108 sends the RRC Connection Reconfiguration completeto the MeNB 104. At 618 _(c), once the security base key is updates atthe UE 108 and SeNB 106, the secure connection between the UE 108 andSeNB 106 is resumed.

In an embodiment, the SCC value along with security key (KeNB_m)associated with the MeNB 104 is used to derive the security key (KeNB_s)for the SeNB 106. The SCC value is reset at the MeNB 104 when KeNB_m isupdated and the initialized value is used for deriving the security basekey associated with the SeNB 108 to avoid the re-use of the basesecurity key and derivation of same key stream.

The MeNB 104 can be configured to increment the counter value forgeneration of each unique non-repetitive base key (KeNB_s) associatedwith the SeNB 106. The counter value is passed to the UE 108 by the MeNBusing the RRC signaling. The MeNB 104 sends the newly derived KeNB_s tothe SeNB 106, so that both SeNB 106 and the UE 108 use the same KeNB_sand establish the AS small cell security context. The MeNB 104 maintainsthe counter value along with security key (KeNB_m) associated with theMeNB 104 and resets whenever the security key (KeNB_m) associated withthe MeNB 104 changes.

In an embodiment, the counter value along with the NCC value and ScellKey change indicator identifies the key to be used for the for derivingthe unique non-repetitive security base key (KeNB_s) associated with theSeNB 106. In another embodiment, the UE 108 and the MeNB 104 maintainsthe counter value and increases for every KeNB_s derivation. In anembodiment, the PCI and DL frequency used to derive the key belongs toat most one secondary cell associated with the SeNB served on one of thesecond serving frequency and the key derivation using the counter valueand physical layer parameters are as follows:

-   -   KeNB_s=KDF{KeNB_m, counter value, SeNB-PCI, SeNB-EARFCN-DL}

In an embodiment, the key derivation using the counter value is asfollows:

-   -   KeNB_s=KDF{KeNB_m, counter value}

In an embodiment, the NONCEMeNB along with KeNB_m is used to deriveKeNB_s. The NONCEMeNB is generated by the MeNB 104 in order to avoid theKeNB_s key re-use or to avoid derivation of the same key stream (canonly happen while still using the same KeNB_m) repeatedly. The NONCEMeNBis provided to the UE 108 by the MeNB 104 using the RRC signaling.Further, the MeNB 104 sends the newly derived KeNB_s to the SeNB 106 sothat both the SeNB 106 and the UE 108 can use the same KeNB_s. In anembodiment, the RRC connection reconfiguration message can carry theNONCEMeNB value from the MeNB 104 to the UE 108.

FIG. 7A and FIG. 7B is an example sequence 700 illustrating a mechanismfor secure key handling in a network supporting carrier aggregation ofthe UE 108, according to embodiments as disclosed herein.

Initial Offloading

At step 702, the MeNB 104 decided to offload a DRB to a SeNB 106. TheMeNB 104 determines that UE 108 can be dually connected with a SeNB-106.

At 704, once the SeNB is decided, the MeNB 104 derives S-KeNB1 byinitializing the SCC counter to zero value. The freshness parameter(also referred as the key freshness counter) is incremented for everyKeNB_s derivation.

At 706, the MeNB 104 sends the derived security key associated with SeNB106 along with the bearer ID of the DRB being offloaded. The MeNB 104can be configured to provide high level details of X2-AP to the SeNB106. The process of adding a secondary cell associated with SeNB 106 toserve the UE 108 at a second frequency ensures that required securitymeasures are present at the SeNB 106. A DRB ID assignment is handled byMeNB 104 and the MeNB 104 is configured to assign different DRB IDs foreach DRB assigned by the MeNB 104. The SeNB-1 106 derives a KUPenc key(user plane encryption key) to protect the user plane traffic betweenthem.

At 710, the UE 108 derives the KUPenc key (user plane encryption key) toprotect the user plane traffic between the UE 108 and the SeNB1. The useof a different bearer ID (i.e. the DRB ID) for each bearer andderivation of a fresh S-KeNB ensures that Key stream reuse is avoided.

DRB Addition/Deletion

The steps 712 to 722 illustrate the operations performed by the UE 108,the MeNB 104 and the SeNB 106, when the MeNB decide to offload a DRB. At712, the MeNB 104 initiates a Secondary Cell Group (SCG) Modificationprocedure to add a second DRB#2 in addition to DRB#1 to the selectedSeNB 106. At 714, it is indicated that DRB-ID duplication is avoided byassigning a new DRB ID for the offloaded DRB. For the SCG Modificationprocedure, a new key is not issued and an old key (the KUPenc, derivedfrom S-KeNB1) is used for protecting both DRB#1 and DRB#2. The uniquenon-repetitive security base key (S-KeNB) associated with SeNB 106 isderived by the MeNB 104 and forwarded to the SeNB 106 only for the SCGaddition procedure (first DRB offloading, X2-AP: SCG AdditionIndication). For the additional DRB addition to the same SeNB 106(X2-AP: SCG Modification Indication), no new key is provided to the SeNB106. At any point of time, only one key (KUPenc) derived from S-KeNB isused for protecting all the DRBs of a UE 108 between the SeNB 106 andthe UE 108.

At step 716, an SCG modification indication (DRB #2 addition) is sent tothe SeNB 106. At 718, an RRC connection reconfiguration message is sentto the UE 108 indicating the addition of DRB#2.

At 720, once the data transfer associated with the DRB is complete, theMeNB 104 is configured to delete the DRB #2 associated with the SeNB106. The MeNB 104 sends the SCG modification indication (DRB #2deletion) to the SeNB 106. At 722, an RRC connection reconfigurationmessage is sent to the UE 108 indicating the deletion of DRB#2.

Consider an example, when a user of the UE 108 views a video (a highdata rate application) in addition to file downloading in progress. Insuch a scenario, the MeNB 104 may assign a DRB #2 to the SeNB 106 tohandle downloading of the video. Once the downloading of the video iscomplete the DRB 2 is deleted.

SCG Release

Step 724 to 732: The steps 724 to 732 illustrate the operationsperformed by the UE 108, the MeNB 104 and the SeNB 106, when the MeNB104 decides to release a SeNB 106 from the UE 108. At 724, the MeNB 104initiates release procedure to release all resource allocated in theSeNB 106 for the UE 108. At 726, the MeNB 104 sends an X2 message to theSeNB 106 for releasing the resources of SeNB 106.

At 728, on receiving a SCG Release message, the SeNB 106 deletes thesecurity key S-KeNB1 sent by the MeNB 104.

At 730, an RRC connection reconfiguration message is sent to the UE 108indicating the release of SeNB 106.

At 732, on receiving a SCG Release message, the UE 108 deletes thesecurity key (S-KeNB1) sent by the MeNB 104.

Since SCG context is deleted any fresh offload of DRB will create a newSCG context with new S-KeNB and all the DRB-IDs (including those used instep 0 to Step 8) become re-usable again. The deletion of these securitykeys at the SeNB 106 and the UE 108 ensure re-use of the security keysderived at the MeNB 104 for the SeNB without repetition

Offloading with New Key

Step 734 to 752: The steps 724 to 732 illustrate the operationsperformed by the UE 108, the MeNB 104 and the SeNB 106, when the MeNB104 decides to offload a DRB. At 734, the MeNB 104 decides to offloadthe DRB associated with the UE 108 to the same SeNB-1. At 736, with noSCG context available (after step 710), the MeNB 104 needs to derive anew S-KeNB2 by incrementing the count value in the SCC (SCC changes fromSCC=0 to SCC=1) and forwards the key to the SeNB 106 and the SCC valueto the UE 108. In an embodiment, if the MeNB 104 decides to offload theDRB associated with the UE 108 to the different SeNB (for exampleSeNB-2), then the same procedure from Step 734 to Step 742 areperformed.

The increase of the counter associated the SeNB 106 ensures that thesecurity base key generated for the SeNB 106 is not repeated. Forexample, in case the SeNB 106 gets released from the UE 108 and isassigned again to the UE 108 after a short duration, a new security keyis generated to establish the security context. Similarly, the userplane encryption keys also are updated for each update of the securitybase key (S-KeNB) associated with the SeNB 106.

At 738, the MeNB 104 initiates a Secondary Cell Group (SCG) Modificationprocedure to add a second DRB#1 in to the selected SeNB 106.

At 740, an RRC connection reconfiguration message is sent to the UE 108indicating the addition of DRB#1 and the incremented SCC counter value.

At 742, the UE 108 derives the security base key (S-KeNB2) using the SCCparameter received from the MeNB 104. Similarly, the UE 108 and theSeNB-1 derives KUPenc key from S-KeNB2 to protect the user plane trafficbetween them.

After the sometime, if the MeNB 104 decides to release the SeNB-1 106for the UE 108, the MeNB 104 initiates release procedure to release allresource in SeNB 106 for the UE 108. Once the UE 108 and the SeNB 106receives the SCG Release message, keys are deleted.

At 744, the MeNB 104 initiates release procedure to release all resourcein the SeNB 106 for the UE 108. At 726, the MeNB 104 sends an X2 messageto the SeNB for releasing the resources of SeNB 106.

At 746 and 748, on receiving a SCG Release message, the SeNB 106 deletesthe security key S-KeNB1 sent by the MeNB 104.

At 750, an RRC connection reconfiguration message is sent to the UE 108indicating the release of SeNB 106.

At 752, on receiving a SCG Release message, the UE 108 deletes thesecurity key (S-KeNB1) sent by the MeNB 104.

Key Update Procedure

Steps 754 to 790: The steps 724 to 732 illustrate the operationsperformed by the UE 108, the MeNB 104 and the SeNB 106, when the MeNB104 could not assign different DRB IDs, due to exhaust of DRB IDs andperforms key update procedure.

At 754, the MeNB 104 decides to offload the DRB associated with the UE108 to the same SeNB-1. At 756, with no SCG context available (afterstep 710), the MeNB 104 needs to derive a new S-KeNB3 by incrementingthe count value in the SCC (SCC changes from SCC=1 to SCC=2) andforwards the key to the SeNB 106 and the SCC value to the UE 108.

The increase of the counter associated the SeNB 106 ensures that thesecurity base key generated for the SeNB 106 is not repeated.

At 758, the MeNB 104 initiates a Secondary Cell Group (SCG) Modificationprocedure to add a second DRB#1 in to the selected SeNB 106. The MeNB104 is configured to send the freshly generated S-KeNB3 to the SeNB 106.

At 760, an RRC connection reconfiguration message is sent to the UE 108indicating the addition of DRB#1 and the incremented SCC counter value(SCC=3).

At 762, the UE 108 derives the security base key (S-KeNB2) using the SCCparameter received from the MeNB 104. Similarly, the UE 108 and theSeNB-1 derives KUPenc key from S-KeNB2 to protect the user plane trafficbetween them.

At 764, the MeNB 104 decides to offload another 35 DRBs in sequence atdifferent time intervals and decides to releases some bearer associatedwith the SeNB 106.

Steps 774 to 790: The steps 774 to 790 illustrate the operationsperformed by the UE 108, the MeNB 104 and the SeNB 106, when the MeNB108 could not assign different DRB IDs, due to exhaust of DRB IDs andperforms key update procedure.

At step 768, an SCG modification indication (DRB #2 addition) is sent tothe SeNB 106. At 718, an RRC connection reconfiguration message is sentto the UE 108 indicating the addition of DRB#2.

At 770, an RRC connection reconfiguration message is sent to the UE 108indicating the addition of DRB#2.

Once the data transfer associated with the DRB is complete, the MeNB 104is configured to delete the DRB #2 associated with the SeNB. The MeNB104 sends the SCG modification indication (DRB #2 deletion) to the SeNB106. At 722, an RRC connection reconfiguration message is sent to the UE108 indicating the deletion of DRB#2.

The process described in steps 768, 770 and the above paragraph isrepeated for all the assigned DRB's.

At 772, the DRB#27 and DRB#32 are active currently between the UE 108and the SeNB 106.

At 774, when a DRB is to be added (say 33th new DRB), the DRB-IDs getexhausted (for example after the 32nd DRBID). So after (or near about)32nd DRB ID use Key update procedure is triggered. At 766, after keyupdate re-use of the DRB IDs become possible. The DRB-ID is used afterthe security base associated with the SeNB1 is updated.

When different DRB IDs are assigned for every successive offloading ofDRBs by the MeNB/SeNB, then possibility of re-using DRB ID ispossibility. It is very uncommon scenario, that for the same S-KeNB(where KeNB is not changed) more than 32 times DRBs are offloaded for aUE. For this scenario, it is always possible to performing key updateprocedure as to avoid DRB ID re-use; however it is expected to beperformed very rarely.

At 776, the SCG Release message is sent to the SeNB 106.

At 778, the SeNB 106 is configured to delete the security key (S-KeNB3)sent by the MeNB 104.

At 780, an RRC connection reconfiguration message is sent to the UE 108indicating the release of SeNB 106.

At 782, the UE 108 deletes the security key (S-KeNB3) used for securecommunication.

At 784, the MeNB 104 needs to generate a new S-KeNB4 for avoiding re-useof bearer ID by incrementing the count value in the SCC (SCC changesfrom SCC=2 to SCC=3) and forwards the key to the SeNB 106 and the SCCvalue to the UE 108.

The increase of the counter associated the SeNB 106 ensures that thesecurity base key generated for the SeNB 106 is not repeated and the DRBID are not reused.

At 786, the MeNB 104 is configured to send the freshly generated S-KeNB4to the SeNB 106. The MeNB 104 initiates a Secondary Cell Group (SCG)Modification procedure to add the multiple DRB's DRB#1, DRB#2, DRB#3,using the freshly derived security key (S-KeNB4) to the selected SeNB106.

At 788, an RRC connection reconfiguration message is sent to the UE 108indicating the addition of DRB#1, DRB#2, DRB#3, and the incremented SCCcounter value (SCC=3).

At 790, the UE 108 derives the security base key (S-KeNB4) using the SCCparameter received from the MeNB 104. Similarly, the UE 108 and theSeNB-1 derives KUPenc key from S-KeNB2 to protect the user plane trafficbetween them.

FIG. 8 is a flow diagram illustrating a method 800 for achieving forwardsecurity using a Down Link (DL) PDCP count for deriving the security keyused for user plane data transmission according to the embodiments asdisclosed herein. In an embodiment, forward security is essential tomitigate key chaining attacks and to ensure that compromise of thesecurity key generated at the MeNB 104 does not lead to compromise ofthe security keys derived at the SeNB 106 and the UE 108. The method 400described above ensures that different security key are used by the SeNB106 for encrypting the DRB between the SeNB 106 and the UE 108, as theuser plane encryption key is different from the security base keygenerated by the MeNB 104. If the MeNB 104 and the SeNB 106 belongs todifferent operators the security used by the SeNB 106 for derivation ofthe user plane encryption key cannot be the security base key generatedby the MeNB 104, as this will lead to comprise of security and open thedata communication to attackers. To overcome the threat of securityattacks due to security compromise, the user plane encryption key isderived using a PDCP count associated with the DRBs being transmitted inthe PDCP PDU for key update between the SeNB 106 and the UE 108 toachieve the forward security. The PDCP count associated with the DRBsbeing transmitted is the freshness parameter to allow securecommunication between the UE 108 and the SeNB 106.

At step 802, the method 800 includes randomly selecting a DL PDCP COUNTat the SeNB 106. The DL PDCP COUNT is randomly selected from the ongoingUser Plane (UP) traffic by the SeNB 106 and used for security keyderivation at the SeNB 106 and the UE 108. Each DL PDCP COUNT can beassociated with a specific DRB. Based on the packets transmitted and theSequence Number (SN) status report received from the UE 108 and the MeNB104, the SeNB 106 can select a random DL PDCP count.

At step 804, the method 800 includes sending the selected DL PDCP countfrom the SeNB 106 in the DL PDCP header with an indication to update thesecurity key. The selected DL PDCP COUNT is indicated to the UE 108 inthe PDCP PDU such that the UE 108 uses the security key indicated by thePDCP COUNT for security key derivation.

At step 806, the method 800 includes deriving at the UE 108 the securitykey using the DL PDCP count for securely transmitting data between theSeNB 106 and the UE 108. On receiving the key update request, the UE 108can be configured to derive the security key to be used forcommunication between the UE 108 and the SeNB 106. In an embodiment, thesecurity key derivation at UE using selected DL PDCP COUNT is asfollows:

-   -   KeNB_s′=KDF{KeNB_s (in use), selected PDCP COUNT, SeNB-PCI,        SeNB-EARFCN-DL}

In an embodiment, the key derivation is as follows:

KeNB_s′=KDF{KeNB_s (in use), PDCP COUNT (selected)}

After deriving the KeNB_s′, the SeNB 106 and the UE 108 starts using theKeNB_s′ as KeNB_s.

In an embodiment, the KeNB_s is used as it is for user plane protection(ciphering). Alternatively, the KeNB_s is used to derive further keys(similar to the KeNB specified in TS 33.401) for user plane encryption,integrity protection and RRC signaling protection (in case of the SeNB106 and the UE 108 having an RRC signaling between them).

In an embodiment, the UE 108 takes the PDCP SN from the indicated PDCPPDU and the stored Hyper Frame Number (HFN).

The PDCP COUNT is HFN+PDCP SN.

At step 808, the method 800 includes verifying the derived security keyis verified. The UE 108 can be configured to verify if the derivedsecurity key is same as the security key received in the MAC-I receivedfrom the SeNB 106. Different UE PDCP COUNT Value is included within theCounter Check Response message. The UE compares the PDCP COUNT valuesreceived in the Counter Check message with the values of its radiobearers.

Based on the verification of the derived security key in step 810, thedata communication between the UE 108 and the SeNB 106 is secured. Atstep 810, the method 800 includes determining if the verification of thederived security key at the UE 108 is successful. The UE 108 comparesthe PDCP COUNT values received in the Counter Check message with thevalues of its radio bearers.

At step 812, the method 800 includes using the derived security key forsecurely transmitting data between the UE 108 and the SeNB 106 from thenext PDCP count. Once the PDCP count wraps around, the UE 108 startsusing the freshly/newly derived security key.

At step 814, the method 800 includes reporting a discrepancy. If theSeNB 106 receives a counter check response message that contains one orseveral PDCP COUNT values, the SeNB 106 may release the connection orreport the difference of the PDCP COUNT values for the serving MME orO&M server for further traffic analysis for e.g., detecting theattacker. When the SeNB 106 receives a counter check response messagethat does not contain any PDCP COUNT values, the method 800 iscompleted.

The various actions and interactions performed by the UE 108, the MeNB104, and the SeNB 106, to achieve forward security are described indetail in conjunction with the FIG. 8

The various actions, acts, blocks, steps, and the like in the method 800may be performed in the order presented, in a different order orsimultaneously. Further, in some embodiments, some actions, acts,blocks, steps, and the like may be omitted, added, modified, skipped,and the like without departing from the scope of the invention.

Unlike security mechanism used in the earlier release of the 3GPP, inwhich the same security key is used by the SeNB 106 for communicationwith the MeNB 104 and the UE 108, the method of forward securitydescribed in the proposed system and method provides separate securitykeys at the SeNB 106 for the UE 108.

The use of separate ciphering at the PDCP layer of the MeNB 104 and theSeNB 106, i.e., different security keys at the MeNB 104 and the SeNB 106provides additional security. Further, due to the key separation forwardsecurity can be achieved and the DRB's between the SeNB 106 and the UE108 can be transmitted securely. Further, even if the security keyassociated with MeNB 104 is compromised, the security key used by the UE108 and the SeNB 106 is secure.

Consider an example scenario, when the MeNB 104 determines a SeNB 106.To secure the data communication between the SeNB 106 and the UE 108,the SeNB 106 can select a DL PDCP COUNT for deriving the security key tobe used for communication between the SeNB 106 and the UE 108. If theSeNB 106 selects a packet 7 (from a set of packets being transmitted).The packet 7 is indicated to the UE 108, so that the UE 108 can startusing the new security from packet 7. At the UE 108 end, based on thePDCP wrap around and the verification of the derived security key, theUE 108 starts using the derived security key for communication with theSeNB 106. In case, the PDCP wrap around occurs at packet 10, the UE 108can start using the derived security key for communication with the SeNB106 from packet 10 onwards.

As the data path protection is done using the existing PDCP layer, thereis no additional implementation cost at the operator end.

FIG. 9 is an example sequence diagram illustrating various operations ofa method 900 performed between a UE, a first eNB, a second eNB toachieve forward security using a DL PDCP count for deriving the securitykey used for user plane data transmission, according to embodiments asdisclosed herein. In an embodiment to achieve forward security, the DLPDCP count of the DRB being transmitted can be used for deriving theuser plane encryption key for the user plane data transmission. At 902,the MeNB 104 can be configured to determine if an SeNB 106 needs toserve the UE 108. As Multiple SeNB's 106 can be managed by a single MeNB104, the selection of the SeNB 106 may depend on several factors likechannel measurement, the location of the UE 108, load information, andthe like.

At 904, a Scell Add Request is sent to the SeNB 106 from the MeNB 104.Once a Scell of the SeNB 106 is selected, the MeNB 104 can be configuredto send a request for adding a secondary cell for serving the UE 108. At906, a Scell Add Response is received at the MeNB 104 from the SeNB 106.The SeNB 106 sends an acknowledgement and confirmation of the addedsecondary cell (Scell) to the MeNB 104.

At 908, the MeNB 104 stops the downlink data transmission between theMeNB 104 and the UE 108. As the MeNB 104 has added a secondary cell ofthe SeNB 106 and stopped data transmission to the UE 108, the MeNB 104needs to initiate the reconfiguration of the RRC connection between theUE 108 and the MeNB 104.

As there are no SRB between the UE 108 and the SeNB 106, the MeNB 104needs to inform the change of eNB to the UE 108. At step 910, the RRCconnection reconfiguration message is sent to the UE 108 as a securitymessage. Further, the security message includes the count of the NCCmaintained at the MeNB 104.

At 912, the MeNB 104 can be configured to send the Sequence Number countassociated with the data transmission.

At 914, the MeNB 104 can be further configured to send a message to theSeNB 106 to indicate that DRBs can be forwarded (offloaded) to the SeNB106. At 916, based on the information received from the MeNB 104, the UE108 can be configured to stop the uplink data transmission between theMeNB 104 and the UE 108. At 918, the UE 108 can be configured togenerate a security base key for the SeNB 106. The security base key isgenerated using a vertical key derivation, which makes use of the NHparameters received from the MeNB 104.

At 920, the RRC connection reconfiguration between the UE 108 and theMeNB 104 is completed. At 922, the communication path between the UE 108and the SeNB 106 is established. At 924, the counters LCH_S is startedat the SeNB 106 and the UE 108. At 926, a new key KeNB_M=K1 is derivedat the UE 108 using a security base key associated with the MeNB 104 andthis key (k1) is applied for LCH_M

At 928, a new key KeNB_S=K2 is derived at the MeNB 104 and this key (k2)is applied for LCH_S. At 930, the MeNB 104 shares a PDCP status reportwith the UE 108 and the SeNB 106. The PDCP status report informs theSeNB 106 about the packet transmission status. Further, in case whensome packets are received incorrectly or incompletely or with error, theUE 108 can inform the SeNB 106.

This PDCP status report message can be sent in the form of the PDCPStatus PDU.

At step 932, the SeNB 106 randomly selects a DL PDCP COUNT. The DL PDCPCOUNT is randomly selected from the ongoing User Plane traffic by theSeNB 106 and used for security key derivation at the SeNB 106 and the UE108. Each DL PDCP COUNT can be associated with a specific DRB. Based onthe packets transmitted and the sequence number status report receivedfrom the UE 108 and the MeNB 104, the SeNB 106 can select a random DLPDCP count. The SeNB 106 derives the security key to be used by the UE108. The derived security key is used for creating a MAC-I, which issent to the UE 108 to verify the derived key at the UE 108.

At 934, the SeNB 106 can be configured to send the selected DL PDCPcount from the SeNB 106 in the PDCP header with an indication to updatethe security key using the packet PDCP count. The PDCP header alsocontains the MAC-I derived using derived security key at the SeNB 106.

At 936, the UE 108 can be configured to derive a security key using saidDL PDCP count for securely transmitting data between the SeNB 106 andthe UE 108. The key derivation using selected PDCP COUNT is as follows:KeNB_s′=KDF {KeNB_s (in use), selected PDCP COUNT, SeNB-PCI,SeNB-EARFCN-DL}.

In an embodiment, the key derivation is as follows:

KeNB_s′=KDF {KeNB_s (in use), PDCP COUNT (selected)}

After deriving the KeNB_s′, the SeNB and the UE starts using the KeNB_s′as KeNB_s.

In an embodiment, the KeNB_s is used as it is for user plane protection(ciphering). Alternatively, the KeNB_s is used to derive further keys(similar to the KeNB specified in TS 33.401) for user plane encryption,integrity protection and RRC signaling protection (in case where theSeNB 106 and the UE 108 having an RRC signaling between them).

The UE 108 takes the PDCP Sequence Number (SN) from the indicated PDCPPDU and the stored Hyper Frame Number (HFN).

PDCP COUNT is HFN+PDCP SN

The UE 108 can be further configured to verify if the derived key issame as the key received in the MAC-I received from the SeNB 106. Basedon the verification of the derived security key in step 410, the datacommunication between the UE 108 and the SeNB 106 is secured. At 938,once the PDCP count wraps around, the UE 108 starts using the newderived security key.

FIG. 10 is a flow diagram illustrating a method for achieving forwardsecurity using a DL PDCP count and a Up Link (UL) PDCP count forderiving the security key used for user plane data transmission,according to the embodiments as disclosed herein.

At step 1002, the method 1000 includes randomly selecting a DL PDCPCOUNT at the SeNB 106. The DL PDCP COUNT is randomly selected from theongoing user plane traffic by the SeNB 106 and used for security keyderivation at the SeNB 106 and the UE 108. Each DL PDCP COUNT can beassociated with a specific DRB. Based on the packets transmitted and thesequence number status report received from the UE 108 and the MeNB 104,the SeNB 106 can select a random DL PDCP count.

At step 1004, the method 1000 includes sending the selected DL PDCPcount from the SeNB 106 in the DL PDCP header with an indication toupdate the security key. The selected DL PDCP COUNT is indicated to theUE 108 in the PDCP PDU, such that the UE 108 uses the security keyindicated in the PDCP COUNT for the security key derivation.

At step 1006, the method 1000 includes selecting an UL PDCP COUNT at theUE 108. The UL PDCP COUNT is randomly selected from the ongoing userplane traffic by the SeNB 106 and used for security key derivation atthe SeNB 106.

At step 1008, the method 1000 includes deriving at the UE 108 thesecurity key using the selected UL PDCP count and the selected DL PDCPcount for securely transmitting data between the SeNB 106 and the UE108. On receiving the key update request, the UE 108 can be configuredto derive the security key to be used for communication between the UE108 and the SeNB 106.

The security key derivation at UE 108 using selected DL and UL PDCPCOUNT is as follows:

-   -   KeNB_s′=KDF {KeNB_s (in use), selected UL/DL PDCP COUNT,        SeNB-PCI, SeNB-EARFCN-DL}.

In an embodiment, the key derivation is as follows:

-   -   KeNB_s′=KDF {KeNB_s (in use), UL/DL PDCP COUNT (selected)}

After deriving the KeNB_s′, the SeNB 106 and the UE 108 starts using theKeNB_s′ as KeNB_s.

At step 1012, the method 1000 includes sending the selected UL PDCP withan indication to update the security key to the SeNB 106.

At step 1014, the method 1000 includes deriving at the SeNB 106 thesecurity key using the selected UL PDCP count and the selected DL PDCPcount for securely transmitting data between the SeNB 106 and the UE108.

At step 1016, the method 1000 includes verifying the derived securitykey using the MAC-I received from the SeNB 106. Based on theverification of the derived security key in the step 1016, the datacommunication between the UE 108 and the SeNB 106 is secured. Thevarious operations performed by the UE 108, the MeNB 104, and the SeNB106, to achieve forward security are described in detail in conjunctionwith the FIG. 10

At step 1018, the method 1000 includes verifying the derived securitykey is verified. The UE 108 can be configured to verify if the derivedsecurity key is same as the security key received in the MAC-I receivedfrom the SeNB 106. Different UE PDCP COUNT values are included withinthe Counter Check Response message. The UE 108 compares the PDCP COUNTvalues received in the Counter Check message with the values of itsradio bearers.

At step 1018, the method 1000 includes determining if the verificationof the derived security key at the UE 108 is successful. The UE 108compares the PDCP COUNT values received in the Counter Check messagewith the values of its radio bearers.

At step 1020, the method 1000 includes using the derived security keyfor securely transmitting data between the UE 108 and the SeNB 106 fromthe next PDCP count. When the PDCP count associated with the DRB isabout to wrap around, the UE 108 can be configured to use the derivedsecurity key.

At step 1022, the method 1000 includes reporting a discrepancy. If theSeNB 106 receives a counter check response message that contains one orseveral PDCP COUNT values then the SeNB 106 may release the connectionor report the difference of the PDCP COUNT values for the serving MME orO&M server for further traffic analysis for e.g., detecting theattacker.

The SeNB 106 receives a counter check response message that does notcontain any PDCP COUNT values, the method is completed.

Consider an example scenario, when the MeNB 104 determines on a SeNB106. To secure the data communication between the SeNB 106 and the UE108, the SeNB 106 can select a DL PDCP COUNT for deriving the securitykey to be used for communication between the SeNB 106 and the UE 108. Ifthe SeNB 106 selects a packet 9 (from a set of packets beingtransmitted). The packet 9 is indicated to the UE 108, so that the UE108 can start using the new security from packet 9. At the UE 108, basedon the received DL PDCP count and a randomly selected UL PDCP count, theUE 108 derives a security key. The selected UL PDCP count is sent to theSeNB 106 so that the UE 108 starts using the derived security key forcommunication with the SeNB 106. At the SeNB 106, the security isderives using the selected DL PDCP count and received UL PDCP count. Incase, the PDCP wrap around occurs at packet 10 at the SeNB 106, UE 108and the SeNB 106 can start using the derived security key forcommunication from packet 10 onwards.

As the data path protection is done using the existing PDCP layer, thereis no additional implementation cost at the operator end.

The various actions, acts, blocks, steps, and the like in the method1000 may be performed in the order presented, in a different order orsimultaneously. Further, in some embodiments, some actions, acts,blocks, steps, and the like may be omitted, added, modified, skipped,and the like without departing from the scope of the invention.

FIG. 11 is an example sequence diagram illustrating various operationsof a method 1100 performed between a UE, a first eNB, a SeNB 106 toachieve forward security using a DL PDCP count and a UL PDCP count forderiving the security key used for user plane data transmission,according to embodiments as disclosed herein.

In an embodiment, to achieve forward security, the DL PDCP count and theUL PDCP count in the use plane traffic can be used for deriving the userplane encryption key for the user plane data transmission.

At 1102, the MeNB 104 can be configured to determine if a SeNB 106 needsto serve the UE 108. As Multiple SeNB's 106 can be managed by a singleMeNB 104. The selection of the SeNB 106 may depend on several factorslike channel measurement, the location of the UE 108, and loadinformation, and the like.

At 1104, a Scell Add Request is sent to the SeNB 106 from the MeNB 104.Once a Scell of the SeNB 604 is selected, the MeNB 104 can be configuredto send a request for adding a secondary cell for serving the UE 108

At 1106, a Scell Add Response is received at the MeNB 104 from the SeNB106. The SeNB 106 sends an acknowledgement and confirmation of the addedsecondary cell (Scell) to the MeNB 104.

At 1108, the MeNB 104 stops the downlink data transmission between theMeNB 104 and the UE 108. As the MeNB 104 has added a secondary cell ofthe SeNB 106 and stopped data transmission to the UE 108, the MeNB 104needs to inform UE 108 by initiating the reconfiguration of the RRCconnection between the UE 108 and MeNB 104.

As there are no SRB's between the UE 108 and the SeNB 106, the MeNB 104needs to inform the change of SeNB to the UE 108.

At 1110, the RRC connection reconfiguration message is sent to the UE108 as a security message. Further, the security message includes thecount of the Next Hop Chaining Counter (NCC) maintained at the MeNB 104.

At 1112, the MeNB 104 can be configured to send the Sequence Number (SN)count associated with the data transmission.

At 1114, the MeNB 104 can be configured to send a message to the SeNB106 to indicate that Data Radio Bearer (DRBs) will be forwarded(offloaded) to the SeNB 106.

At 1116, based on the information received from the MeNB 104, the UE 108can be configured to stop the uplink data transmission between the MeNB104 and the UE 108.

At 1118, the UE 108 can be configured to generate a security base keyfor the SeNB 106. This security base key is generated using a verticalkey derivation, which makes use of Next Hop (NH) parameters receivedfrom the MeNB 104.

At 1120, the RRC connection reconfiguration between the UE 108 and theMeNB 104 is completed.

At 1122, the communication path between the UE 108 and the SeNB 106 isestablished.

At 1124, the counters LCH_S is started at the SeNB 106 and the UE 108.

At 1126, a new key KeNB_M=K1 is derived at the UE 108 using a securitybase key associated with the MeNB 104 and this key (k1) is applied forLCH_M

At 1128, a new key KeNB_S=K2 is derived at the MeNB 104 and this key(k2) is applied for LCH_S

At 1130, a PDCP status report is shared by the MeNB 104, with the SeNB106 and the UE 108. The PDCP status report informs the SeNB 106 aboutthe packet transmission status. Further in case some packets arereceived incorrectly or incompletely or with error, the UE 108 caninform the SeNB 106. This PDCP status report message can be send in theform of PDCP Status PDU.

At 1132, the SeNB 106 randomly selects a Downlink PDCP (DL PDCP) COUNT.The PDCP COUNT is randomly selected from the ongoing User Plane (UP)traffic by the SeNB 106 and used for security key derivation at the SeNB106 and the UE 108. Each DL PDCP COUNT can be associated with a specificdata radio bearer (DRB). Based on the packets transmitted and theSequence Number (SN) status report received from UE 108 and MeNB 104,the SeNB 106 can select a random DL PDCP count. The SeNB 106 derives thesecurity key to be used by the UE 108. The derived security key is usedfor creating a MAC-I, which is sent to the UE 108 to verify the derivedkey at the UE 108.

At 1134, the SeNB 106 can be configured to send the selected DL PDCPcount from the SeNB 106 in the PDCP header with an indication to updatethe security key using the packet PDCP count. The PDCP header alsocontains the MAC-I derived using derived security key at SeNB 106.

At 1136, the UE 108 selects an Uplink PDCP (UL PDCP). The UL PDCP COUNTis randomly selected from the ongoing User Plane (UP) traffic by theSeNB 106 and used for the security key derivation at the SeNB 106 andthe UE 108. The UE derives the security key using the UL PDCP count andthe DL PDCP count for securely transmitting data between the SeNB 106and the UE 108.

At 1138, the UE 108 can be configured to send the selected UL PDCP withan indication to update the security key to the SeNB 106. On receivingthe key update request, the SeNB 106 can be configured to derive thesecurity key to be used for communication between the UE 108 and theSeNB 106.

At 1140, the SeNB 106 can be configured to derive the security key usingthe UL PDCP count and the DL PDCP count for securely transmitting databetween the SeNB 106 and the UE 108. The SeNB 106 can be furtherconfigured to verify if the derived key is same as the key received inthe MAC-I received from the UE 108.

At 1142, once the PDCP count wraps around at the SeNB 106, the SeNB 106and the UE 108 starts using the derived security key.

FIG. 12 is a flow diagram illustrating a method for achieving forwardsecurity using a nonce for deriving the security key used for user planedata transmission, according to the embodiments as disclosed herein.

At step 1202, the method 1200 includes sending the selected nonce fromthe SeNB 106 in the PDCP header with an indication to update thesecurity key.

At step 1206, the method 1200 includes deriving at the UE 108 thesecurity key using the nonce for securely transmitting data between theSeNB 106 and the UE 108. On receiving the key update request, the UE 108can be configured to derive the security key to be used forcommunication between the UE 108 and the SeNB 106.

The security key derivation at UE using selected NONCE is as follows:

-   -   KeNB_s′=KDF {KeNB_s (in use), NONCE, SeNB-PCI, SeNB-EARFCN-DL}

In an embodiment, the key derivation is as follows:

KeNB_s′=KDF {KeNB_s (in use), NONCE}

After deriving the KeNB_s′, the SeNB 106 and the UE 108 starts using theKeNB_s′.

At step 1208, the method 1200 includes sending the key updateacknowledgement from the UE 108 in the PDCP header to the SeNB 106.

At step 1210, the method 1200 includes using the derived security keyfor securely transmitting data between the UE 108 and the SeNB 106 fromthe next PDCP count. When the PDCP count associated with the DRB isabout to wrap around, the UE 108 106 can be configured to use thederived security key. Although the method 1200 is described by selectingnonce for the downlink scenario at the SeNB 106, it must be understoodthat a nonce can be selected at the UE 108 and sent to the SeNB 106 inan UL PDCP header. The various actions, acts, blocks, steps, and thelike in method 1200 may be performed in the order presented, in adifferent order or simultaneously. Further, in some embodiments, someactions, acts, blocks, steps, and the like may be omitted, added,modified, skipped, and the like without departing from the scope of theinvention.

FIG. 13 is an example sequence diagram illustrating various operationsperformed between a UE, a first eNB, a SeNB 106 to achieve forwardsecurity using nonce for deriving the security key used for user planedata transmission, according to embodiments as disclosed herein.

In an embodiment to achieve forward security, a nonce at the SeNB 106 orthe UE 108 can be used for deriving the user plane encryption key forthe user plane data transmission.

At 1302, the MeNB 104 can be configured to determine if a SeNB 106 needsto serve the UE 108. As Multiple SeNB's 106 can be managed by a singleMeNB 104. The selection of the SeNB 106 may depend on several factorslike channel measurement, the location of the UE 108, and loadinformation and the like.

At 1304, a Scell Add Request is sent to the SeNB 106 from the MeNB 104.After deciding the SeNB 106, the MeNB 104 can be configured to requestfor adding a secondary cell for serving the UE 108.

At 1306, a Scell Add Response is received at the MeNB 104 from the SeNB106. The SeNB 106 sends an acknowledgement and confirmation of the addedsecondary cell (Scell) to the MeNB 104.

At 1308, the MeNB 104 stops the downlink data transmission between theMeNB 104 and the UE 108. As the MeNB 104 has added a secondary cell ofthe SeNB 106 and stopped data transmission to the UE 108, the MeNB 104needs to inform the UE 108 by initiating the reconfiguration of theRadio Resource Control (RRC) connection between the UE 108 and MeNB 104.

As there are no SRB's between the UE 108 and the SeNB 106, the MeNB 104needs to inform the change of eNB to the UE 108.

At step 1310, the RRC connection reconfiguration message is sent to theUE 108 as a security message. Further, the security message includes thecount of the Next Hop Chaining Counter (NCC) maintained at the MeNB 104.

At 1312, the MeNB 104 can be configured to send the Sequence Number (SN)count associated with the data transmission.

At 1314, the MeNB 104 can be further configured to send a message to theSeNB 106 to indicate that Data Radio Bearer (DRB) which will beforwarded (offloaded) to the SeNB 106.

At 1316, based on the information received from the MeNB 104, the UE 108can be configured to stop the uplink data transmission between the MeNB104 and the UE 108.

At 1318, the UE 108 can be configured to generate a security base keyfor the SeNB 106. This security base key is generated using a verticalkey derivation, which makes use of Next Hop (NH) parameters receivedfrom the MeNB 104.

At 1320, the RRC connection reconfiguration between the UE 108 and theMeNB 104 is completed.

At 1322, the communication path between the UE 108 and the SeNB 106 isestablished.

At 1324, the counters LCH_S is started at the SeNB 106 and the UE 108.

At 1326, a new key KeNB_M=K1 is derived at the UE 108 using a securitybase key associated with the MeNB 104 and this key (k1) is applied forLCH_M

At 1328 a new key KeNB_S=K2 is derived at the MeNB 104 and this key (k2)is applied for LCH_S.

At 1330, the PDCP status report is shared by the MeNB 104 with the UE108 and the SeNB 106. The PDCP status report informs the SeNB 106 aboutthe packet transmission status. Further in case some packets arereceived incorrectly or incompletely or with error, the UE 108 caninform the SeNB 106. This PDCP status report message can be send in theform of PDCP Status PDU.

At step 1332, the SeNB 106 randomly selects and generates a nonce.

At 1334, the SeNB 106 can be configured to send the selected nonce fromthe SeNB 106 in the PDCP header with an indication to update thesecurity key.

At 1336, the UE 108 can be configured to derive a security key using thenonce for securely transmitting data between the SeNB 106 and the UE108.

The key derivation using selected nonce is as follows: KeNB_s′=KDF{KeNB_s (in use), nonce, SeNB-PCI, SeNB-EARFCN-DL}.

In an embodiment, the key derivation is as follows:

KeNB_s′=KDF {KeNB_s (in use), nonce}

After deriving the KeNB_s′, the SeNB and the UE starts using the KeNB_s′as KeNB_s.

At 1338, once the PDCP count wraps around, the UE 108 starts using thenew derived security key.

At 1338, a key update acknowledgement from the UE 108 is sent to theSeNB 106 in the PDCP header.

At 1340, the once the PDCP count wraps around, the UE 108 starts usingthe new derived security key.

FIG. 14 is a flow diagram describing the method for securing radioaccess with inter-evolved node B (eNB) carrier aggregation, according tothe embodiments as disclosed herein.

As the security capabilities of the UE 108 and the SeNB 106 may bedifferent, and there is no RRC signaling between the UE 108 and the SeNB106, the MeNB 104 needs to establish the security context forcommunication between the SeNB 106 and the UE 108. The MeNB 104 is theanchoring eNB for the UE 108. (RRC signaling is only available betweenthe MeNB 104 and the UE 108). The MeNB 104 needs to set up the securitycontext for the SeNB 106 at the UE 108 using RRC ConnectionReconfiguration.

At step 1402, the method 1400 includes sending by said first eNB, thecapabilities of the UE 108 to the SeNB 106 in an X2 message. The UE 108capabilities are associated with security parameters that said UE 108supports.

In an embodiment, the master eNB (MeNB) 104 can store at least onesecurity parameter associated with a secondary eNB (SeNB) 106.

At step 1404, the method 1400 includes selecting the security parametersat the SeNB 106 based on the SeNB 106 local configuration and the UE 108capabilities received from the MeNB 104

At step 1406, the method 1400 includes sending a response to the MeNB104 on the X2 interface between the MeNB 104 and the SeNB 106 indicatingthe security parameters selected by the SeNB 106.

At step 1408, the method includes informing the selected securityparameter to the UE 108 in a RRC message. As there is no RRC connectionbetween the UE 108 and the SeNB 106, the MeNB 104 sends the selectedsecurity parameters received from the SeNB 106.

FIG. 15 is an example sequence diagram illustrating the interactions ofa method 1500 between the UE 108, the MeNB 104, the SeNB 106 tocommunicate the security algorithm used by the SeNB 106 to the UE 108 inthe inter-evolved node B (eNB) carrier aggregation, according toembodiments as disclosed herein.

At 1502, the MeNB 104 can be configured to determine the SeNB 106 to beadded. Multiple SeNB's 106 can be managed by the MeNB 104. The selectionof the SeNB 106 may depend on several factors like channel measurement,the location of the UE 108, and load information and the like.

At 1504, a Scell Add Request is sent to the SeNB 106 from the MeNB 104.After deciding the SeNB 106, the MeNB 104 can be configured to requestfor adding a secondary cell for serving the UE 108. Further, the MeNB104 can be configured to indicate the security capabilities of the UE108 to the SeNB 106.

At 1506, a Scell Add Response is received at the MeNB 104 from the SeNB106. The SeNB 106 can be configured to send an acknowledgement andconfirmation of an added secondary cell (Scell) associated with the SeNB106 to the MeNB 104. Further, the SeNB 106 sends across the selectedsecurity algorithms to be used for communication to the MeNB 104.

At 1508, the MeNB 104 stops the downlink data transmission between theMeNB 104 and the UE 108. As the MeNB 104 has added a secondary cell ofthe SeNB 106 and stopped data transmission to the UE 108, the MeNB 104needs to initiate the reconfiguration of the Radio Resource Control(RRC) connection between the UE 108 and MeNB 104. The RRC connectionreconfiguration message includes the selected cryptographic algorithmsof the SeNB 106.

FIG. 16 is an example sequence diagram 1600 illustrating theinteractions between the UE 108 and MeNB 104 for security contextestablishment, according to embodiments as disclosed herein. Thesequence diagram 1400 depicts MeNB 104 setting up the security contextfor the SeNB 106 using Security Command Mode Procedure whilecommunicating with the UE 108.

At 1602, the MeNB 104 can be pre-configured with the securitycapabilities of the SeNB 106. In some cases, if the pre-configuredsecurity capabilities of the SeNB 106 are not available, the MeNB 104can select a default security algorithm.

In an embodiment, the security capabilities can include, but is notlimited to, integrity algorithms, and ciphering algorithms.

At 1604, the MeNB 104 can be configured to send the securitycapabilities of the SeNB 106 to the UE 108.

In an embodiment, the Security Context between the SeNB 106 and the UE108 is established using the RRC signaling between the UE 108 and theMeNB 104.

In an embodiment, the MeNB 104 selects (based on theoperator's/network's policy) no security protection by selecting NULLalgorithms for the data radio bearers (DRBs) between the UE 108 and theSeNB 106. In another embodiment, if there is RRC signaling possiblebetween the UE 108 and the SeNB 106, then SeNB 106 selects (based on theoperator's/network's policy) no security protection by selecting NULLalgorithms for the data radio bearers (DRBs) between the UE 108 and theSeNB 106.

FIG. 17 illustrates the key update indicator and Message AuthenticationCode for Integrity value generated using the new security key present inthe PDCP PDU, according to the embodiments as disclosed herein. Thesecurity headers include a key update indicator (KU) and the PDCPSequence Number (SN) of the data packets which are being transmitted.The header included in every PDCP PDU contains security information forthe PDCP PDU. Key Update (KU) indicator in the PDCP PDU indicates to theUE 108 to use the PDCP SN for updating the security key. Further, thePDCP PDU also includes the MAC-I to verify the data integrity of themessage at the receiver. For the DRB's PDU, ciphering at PDCP isperformed using post header compression, and deciphering is performedusing pre header decompression

FIG. 18 illustrates the key update indicator and the NONCE carried overin the PDCP PDU, according to the embodiments as disclosed herein. Theheader included in every PDCP PDU contains security information for thePDCP PDU. The security headers include a key update indicator (KU) andthe PDCP Sequence Number (SN) which is being transmitted. The headerincluded in every PDCP PDU contains security information for the PDCPPDU. Key Update (KU) indicator in the PDCP PDU indicated to the UE 108to use the PDCP SN for updating the security key. Further, the PDCP PDUalso includes the NONCE to verify the data integrity of the message atthe receiver. For the DRB's PDU, ciphering at PDCP is performed usingpost header compression, and deciphering is performed using pre headerdecompression.

FIG. 19 depicts a computing environment implementing a method and systemfor creating a secure connection for the UE in a wireless networkincluding the first eNB connected to the SeNB, according to theembodiments as disclosed herein. As depicted, the computing environment1902 comprises at least one processing unit 1904 that is equipped with acontrol unit 1906 and an Arithmetic Logic Unit (ALU) 1908, a memory 1910a storage unit 1912, a clock chip 1914, plurality of networking devices1916, and a plurality Input output (I/O) devices 1918. The processingunit 1904 is responsible for processing the instructions of thealgorithm. The processing unit 1904 receives commands from the controlunit 1906 in order to perform its processing. Further, any logical andarithmetic operations involved in the execution of the instructions arecomputed with the help of the ALU 1908.

The overall computing environment 1902 can be composed of multiplehomogeneous or heterogeneous cores, multiple CPUs of different kinds,special media and other accelerators. The processing unit 1904 isresponsible for processing the instructions of the algorithm. Theprocessing unit 1904 receives commands from the control unit 1906 inorder to perform its processing. Further, any logical and arithmeticoperations involved in the execution of the instructions are computedwith the help of the ALU 1908. Further, the plurality of process unitsmay be located on a single chip or over multiple chips.

The algorithm comprising of instructions and codes required for theimplementation are stored in either the memory unit 1910 or the storage1912 or both. At the time of execution, the instructions may be fetchedfrom the corresponding memory 1910 or storage 1912, and executed by theprocessing unit 1904. The processing unit 1904 synchronizes theoperations and executes the instructions based on the timing signalsgenerated by the clock chip 1914. The embodiments disclosed herein canbe implemented through at least one software program running on at leastone hardware device and performing network management functions tocontrol the elements.

The elements shown in the FIGS. 1, 2 and 3 include various units,blocks, modules, or steps described in relation with methods, processes,algorithms, or systems of the present invention, which can beimplemented using any general purpose processor and any combination ofprogramming language, application, and embedded processor.

What is claimed is:
 1. A method by a first base station in a mobile communication system, the method comprising: receiving, from a second base station, a request for updating a first security key associated with the second base station, the first security key being generated by using a secondary cell group (SCG) counter value to avoid a key repetition; updating the SCG counter value; updating the first security key using the updated SCG counter value and a base security key associated with the first base station, the base security key being received from a mobility management entity (MME); and transmitting, to the second base station, the updated first security key, wherein the updated first security key is used to generate a second security key, which is used for encrypting data between a terminal and the second base station, wherein at least one cell associated with the first base station and at least one cell associated with the second base station are aggregated for the terminal, and wherein the request is received if a packet data convergence protocol (PDCP) count associated with a data radio bearer (DRB) wraps around.
 2. The method of claim 1, further comprising: transmitting a radio resource control (RRC) connection reconfiguration message including the updated SCG counter value to the terminal over an RRC signaling.
 3. The method of claim 1, wherein the updating of the SCG counter value further comprises increasing the SCG counter value.
 4. A method by a second base station in a mobile communication system, the method comprising: transmitting, to a first base station, a request for updating a first security key associated with the second base station if a packet data convergence protocol (PDCP) count associated with a data radio bearer (DRB) wraps around, the first security key being generated by using a secondary cell group (SCG) counter value to avoid a key repetition; receiving, from the first base station, an updated first security key generated by using an updated SCG counter value and a base security key associated with the second base station, the base security key being received from a mobility management entity (MME); and generating a second security key using the updated first security key, wherein the second security key is used for encrypting data between a terminal and the second base station, and wherein at least one cell associated with the first base station and at least one cell associated with the second base station are aggregated for the terminal.
 5. The method of claim 4, wherein a radio resource control (RRC) connection reconfiguration message including the SCG counter value is transmitted from the first base station to the terminal over an RRC signaling.
 6. A first base station in a mobile communication system, the first base station comprising: a transceiver; and at least one processor configured to: receive, via the transceiver, from a second base station, a request for updating a first security key associated with the second base station, the first security key being generated by using a secondary cell group (SCG) counter value to avoid a key repetition, update the freshness input, update the first security key using the SCG counter value and a base security key associated with the first base station, the base security key being received from a mobility management entity (MME), and transmit, via the transceiver, to the second base station, the updated first security key, wherein the updated first security key is used to generate a second security key, which is used for encrypting data between a terminal and the second base station, wherein at least one cell associated with the first base station and at least one cell associated with the second base station are aggregated for the terminal, and wherein the request is received if a packet data convergence protocol (PDCP) count associated with a data radio bearer (DRB) wraps around.
 7. The first base station of claim 6, wherein the at least one processor is further configured to control the transceiver to transmit a radio resource control (RRC) connection reconfiguration message including the freshness SCG counter value to the terminal over an RRC signaling.
 8. The first base station of claim 6, wherein the at least one processor is further configured to increase the SCG counter value.
 9. A second base station in a mobile communication system, the second base station comprising: a transceiver; and at least one processor configured to: transmit, via the transceiver, to a first base station, a request for updating a first security key associated with the second base station if a packet data convergence protocol (PDCP) count associated with a data radio bearer (DRB) wraps around, the first security key being generated by using a secondary cell group (SCG) counter value to avoid a key repetition, receive, via the transceiver, from the first base station, an updated first security key generated by using an updated SCG counter value and a base security key associated with the second base station, the base security key being received from a mobility management entity (MME), and generate a second security key using the updated first security key, wherein the second security key is used for encrypting data between a terminal and the second base station, and wherein at least one cell associated with the first base station and at least one cell associated with the second base station are aggregated for the terminal.
 10. The second base station of claim 9, wherein a radio resource control (RRC) connection reconfiguration message including the SCG counter value is transmitted from the first base station to the terminal over an RRC signaling. 